Having a password field only appear after entering a username is a huge accessibility antipattern, isn't it? Why is everyone and their dog doing it now? It plays merry hell with my password autofill.

@Floppy which tool are you using?

I've spotted that pattern too, but KeePassXC (which I use, clearly) can be given custom fill patterns for a given form. For example


Works well on the examples I've seen so far.

@gwmngilfen Macpass (another keepass client) - I might be able to do that, but GOD what a faff to do that for everything. :)

@Floppy yeah, giant PITA, agreed. It's not a nice pattern.

@Floppy It has to do with flexible authentication. For example, passwordless logon of any type, using TLS plus 2FA, or even just using bearer authentication.

Good explanation, but then you don't need the username either.


@61 @Floppy No, you still need something to use as the lookup key. That’d be a username, email, or telephone number. Obviously, it’s preferable to have a username, since that is the only credential listed that is (most often) controlled by the user. Telephone numbers are insecure for a wide variety of uses, but are pretty much universally used.

@61 @Floppy I mean, you could use something like a QR code representing a 512-bit random integer, but that’s too complex for most users.

Sleep deprived so perhaps I misunderstand. But if you have a TLS (X.509) certificate or bearer authentication, your authentication method has all the info needed already.

#2FA is complementary to a primary authentication method, as the name says. You cannot count it as an authentication method itself.


@61 @Floppy 2FA and passwordless auth are two different concepts, yes.

A TLS client certificate provides a username, a public key, and a signature from its issuer. Authentication with it requires only that the system recognize it and the user prove control of the associated private key.

Email passwordless auth uses email as the username and a code or link transmitted to the user as the proof of control of the email address.

Both can be used with TOTP.

@61 @Floppy If you auth with TLS you won’t even see a username prompt, in other words. At least if the software is done right. Otherwise page one prompts for ID, page two prompts for a credential that may not necessarily be a password. Putting a password prompt on page one leaks system info (namely that all users have passwords). 2FA should be used always, then.

Sign in to participate in the conversation
Open social media for the UK

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!